Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Security

Critical Git Security Vulnerability Announced 49

Posted by samzenpus
from the protect-ya-neck dept.
An anonymous reader writes Github has announced a security vulnerability and has encourage users to update their Git clients as soon as possible. The blog post reads in part: "A critical Git security vulnerability has been announced today, affecting all versions of the official Git client and all related software that interacts with Git repositories, including GitHub for Windows and GitHub for Mac. Because this is a client-side only vulnerability, github.com and GitHub Enterprise are not directly affected. The vulnerability concerns Git and Git-compatible clients that access Git repositories in a case-insensitive or case-normalizing filesystem. An attacker can craft a malicious Git tree that will cause Git to overwrite its own .git/config file when cloning or checking out a repository, leading to arbitrary command execution in the client machine. Git clients running on OS X (HFS+) or any version of Microsoft Windows (NTFS, FAT) are exploitable through this vulnerability. Linux clients are not affected if they run in a case-sensitive filesystem....Updated versions of GitHub for Windows and GitHub for Mac are available for immediate download, and both contain the security fix on the Desktop application itself and on the bundled version of the Git command-line client."
Security

Grinch Vulnerability Could Put a Hole In Your Linux Stocking 69

Posted by timothy
from the pretty-generic-description-there dept.
itwbennett writes In a blog post Tuesday, security service provider Alert Logic warned of a Linux vulnerability, named grinch after the well-known Dr. Seuss character, that could provide attackers with unfettered root access. The fundamental flaw resides in the Linux authorization system, which can inadvertently allow privilege escalation, granting a user full administrative access. Alert Logic warned that Grinch could be as severe as the Shellshock flaw that roiled the Internet in September.
Security

Hackers Compromise ICANN, Access Zone File Data System 99

Posted by timothy
from the that-should-be-a-boss-level dept.
Trailrunner7 writes with this news from ThreatPost: Unknown hackers were able to compromise vital systems belonging to ICANN, the organization that manages the global top-level domain system, and had access to the system that manages the files with data on resolving specific domain names. The attack apparently took place in November and ICANN officials discovered it earlier this month. The intrusion started with a spear phishing campaign that targeted ICANN staffers and the email credentials of several staff members were compromised. The attackers then were able to gain access to the Centralized Zone Data System, the system that allows people to manage zone files. The zone files contain quite bit of valuable information, including domain names, the name server names associated with those domains and the IP addresses for the name servers. CANN officials said they are notifying any users whose zone data might have been compromised." (Here's ICANN's public note on the compromise.)
Sony

US Links North Korea To Sony Hacking 175

Posted by samzenpus
from the who's-to-blame dept.
schwit1 writes Speaking off the record, senior intelligence officials have told the New York Times, CNN, and other news agencies that North Korea was "centrally involved" in the hack of Sony Pictures Entertainment. It is not known how the US government has determined that North Korea is the culprit, though it is known that the NSA has in the past penetrated North Korean computer systems. Previous analysis of the malware that brought down Sony Pictures' network showed that there were marked similarities to the tools used in last year's cyber-attack on South Korean media companies and the 2012 "Shamoon" attack on Saudi Aramco. While there was speculation that the "DarkSeoul" attack in South Korea was somehow connected to the North Korean regime, a firm link was never published.
Crime

RFID-Blocking Blazer and Jeans Could Stop Wireless Identity Theft 102

Posted by samzenpus
from the keeping-it-in dept.
An anonymous reader writes A pair of trousers and blazer have been developed by San Francisco-based clothing company Betabrand and anti-virus group Norton that are able to prevent identity theft by blocking wireless signals. The READY Active Jeans and the Work-It Blazer contain RFID-blocking fabric within the pockets' lining designed to prevent hacking through radio frequency identification (RFID) signals emitted from e-passports and contactless payment card chips. According to the clothing brand, this form of hacking is an increasing threat, with "more than 10 million identities digitally pick pocketed every year [and] 70% of all credit cards vulnerable to such attacks by 2015."
Australia

Over 9,000 PCs In Australia Infected By TorrentLocker Ransomware 78

Posted by samzenpus
from the cash-for-corrupted-computers dept.
First time accepted submitter River Tam writes Cybercriminals behind the TorrenLocker malware may have earned as much as $585,000 over several months from 39,000 PC infections worldwide, of which over 9,000 were from Australia. If you're a Windows user in Australia who's had their files encrypted by hackers after visiting a bogus Australia Post website, chances are you were infected by TorrentLocker and may have contributed to the tens of thousands of dollars likely to have come from Australia due to this digital shakedown racket.
Google

Google Proposes To Warn People About Non-SSL Web Sites 341

Posted by samzenpus
from the protect-ya-neck dept.
mrspoonsi writes The proposal was made by the Google developers working on the search firm's Chrome browser. The proposal to mark HTTP connections as non-secure was made in a message posted to the Chrome development website by Google engineers working on the firm's browser. If implemented, the developers wrote, the change would mean that a warning would pop-up when people visited a site that used only HTTP to notify them that such a connection "provides no data security". Currently only about 33% of websites use HTTPS, according to statistics gathered by the Trustworthy Internet Movement which monitors the way sites use more secure browsing technologies. In addition, since September Google has prioritised HTTPS sites in its search rankings.
Movies

Top Five Theaters Won't Show "The Interview" Sony Cancels Release 549

Posted by samzenpus
from the nothing-to-see-here dept.
tobiasly writes The country's top five theater chains — Regal Entertainment, AMC Entertainment, Cinemark, Carmike Cinemas and Cineplex Entertainment — have decided not to play Sony's The Interview. This comes after the group which carried off a massive breach of its networks threatened to carry out "9/11-style attacks" on theaters that showed the film. Update: Sony has announced that it has cancelled the planned December 25 theatrical release.
Android

Manufacturer's Backdoor Found On Popular Chinese Android Smartphone 81

Posted by samzenpus
from the sneaking-in dept.
Trailrunner7 writes that researchers at Palo Alto Networks have found a backdoor in Android devices sold by Coolpad. "A popular Android smartphone sold primarily in China and Taiwan but also available worldwide, contains a backdoor from the manufacturer that is being used to push pop-up advertisements and install apps without users' consent. The Coolpad devices, however, are ripe for much more malicious abuse, researchers at Palo Alto Networks said today, especially after the discovery of a vulnerability in the backend management interface that exposed the backdoor's control system. Ryan Olson, intelligence director at Palo Alto, said the CoolReaper backdoor not only connects to a number of command and control servers, but is also capable of downloading, installing and activating any Android application without the user's permission. It also sends phony over-the-air updates to devices that instead install applications without notifying the user. The backdoor can also be used to dial phone numbers, send SMS and MMS messages, and upload device and usage information to Coolpad."
Verizon

Verizon "End-to-End" Encrypted Calling Includes Law Enforcement Backdoor 162

Posted by Soulskill
from the part-and-parcel dept.
An anonymous reader sends this quote from TechDirt: As a string of whistle blowers like former AT&T employee Mark Klein have made clear abundantly clear, the line purportedly separating intelligence operations from the nation's incumbent phone companies was all-but obliterated long ago. As such, it's relatively amusing to see Verizon announce this week that the company is offering up a new encrypted wireless voice service named Voice Cypher. Voice Cypher, Verizon states, offers "end-to-end" encryption for voice calls on iOS, Android, or BlackBerry devices equipped with a special app made by Cellcrypt.

Verizon says it's initially pitching the $45 per phone service to government agencies and corporations, but would ultimately love to offer it to consumers as a line item on your bill. Of course by "end-to-end encryption," Verizon means that the new $45 per phone service includes an embedded NSA backdoor free of charge. Apparently, in Verizon-land, "end-to-end encryption" means something entirely different than it does in the real world.
IT

In IT, Beware of Fad Versus Functional 153

Posted by Soulskill
from the functionality-of-the-month dept.
Lemeowski writes: Cloud, big data, and agile were three of the technology terms that were brandished the most by IT leaders in 2014. Yet, there could be a real danger in buying into the hype without understanding the implications of the technologies, writes Pearson CTO Sven Gerjets. In this essay, Gerjets warns that many IT executives drop the ball when it comes to "defining how a new technology approach will add value" to their organization. He says: "Yes, you can dive into an IT fad without thinking about it, but I can promise you'll look back and be horrified someday. The only time you can fully adopt some of these new methods is when you are starting from scratch. Most of us don't have that luxury because we are working with legacy architectures and technical debt so you have to play hand you've been dealt, communicate well, set clear and measurable outcomes, and use these fads to thoughtfully supplement the environment you are working in to benefit the ecosystem."
Google

Eric Schmidt: To Avoid NSA Spying, Keep Your Data In Google's Services 280

Posted by samzenpus
from the no-snooping-zone dept.
jfruh writes Google Chairman Eric Schmidt told a conference on surveillance at the Cato Institute that Edward Snowden's revelations on NSA spying shocked the company's engineers — who then immediately started working on making the company's servers and services more secure. Now, after a year and a half of work, Schmidt says that Google's services are the safest place to store your sensitive data.
Windows

Forbes Blasts Latests Windows 7 Patch as Malware 228

Posted by timothy
from the if-the-president-does-it-is-isn't-illegal dept.
Forbes contributor Jason Evangelho has nothing good to say about a recent Windows 7 patch that's causing a range of trouble for some users. He writes: If you have Windows 7 set to automatically update every Tuesday, it may be to permanently disable that feature. Microsoft has just confirmed that a recent update — specifically KB 3004394 — is causing a range of serious problems and recommends removing it. The first issue that caught my attention, via AMD’s Robert Hallock, is that KB 3004394 blocks the installation or update of graphics drivers such as AMD’s new Catalyst Omega. Nvidia users are also reporting difficulty installing GeForce drivers, though I can’t confirm this personally as my machines are all Windows 8.1. Hallock recommended manually uninstalling the update, advice now echoed officially by Microsoft. More troubles are detailed in the article; on the upside, Microsoft has released a fix.
Google

Job Postings Offer Clues to Future of Google Fiber 38

Posted by timothy
from the it's-getting-oh-so-close dept.
New submitter Admiral Jimbob McGif writes Even as a massive firestorm burns uncontrollably threatening to scorch the very foundations of the internet with AT&T indefinitely halting future GigaPower FTTH rollouts due to uncertainty over the future of net neutrality and the Obama administration proposing to regulate the internet under Title 2, highly suggestive jobs were recently added to Google Careers.

These Google Fiber related positions include: "City Manager", "Community Impact Manager" and "Plant Manager" in all potential Google Fiber cities. Perplexing inconsistences abound, such as Portland, Phoenix, San Jose and Atlanta positions being listed as local. Whereas San Antonio, Raleigh, Charlotte, and Nashville are listed as telecommute positions.

One is inclined to speculate as to what these job postings mean despite Google's disclaimer: "Not all cities where we're exploring hiring a team will necessarily become Google Fiber cities." Would Google post jobs as an act of posturing much like AT&T's supposed "Gigabit smoke screen" bluff? Or, should we expect to see these so called Fiber Huts springing up like so many mushrooms after a heavy rain in an additional 9 metro areas?

At the rate Google is going, is it too soon to speculate over Fiber Dojos popping up in Japan?
Data Storage

Seagate Bulks Up With New 8 Terabyte 'Archive' Hard Drive 219

Posted by timothy
from the thought-you'd-like-to-see-my-vacation-slides dept.
MojoKid writes Seagate's just-announced a new 'Archive' HDD series, one that offers capacities of 5TB, 6TB, and 8TB. That's right, 8 Terabytes of storage on a single drive and for only $260 at that. Back in 2007, Seagate was one of the first to release a hard drive based on perpendicular magnetic recording, a technology that was required to help us break past the roadblock of achieving more than 250GB per platter. Since then, PMR has evolved to allow the release of drives as large as 10TB, but to go beyond that, something new was needed. That "something new" is shingled magnetic recording. As its name suggests, SMR aligns drive tracks in a singled pattern, much like shingles on a roof. With this design, Seagate is able to cram much more storage into the same physical area. It should be noted that Seagate isn't the first out the door with an 8TB model, however, as HGST released one earlier this year. In lieu of a design like SMR, HGST decided to go the helium route, allowing it to pack more platters into a drive.
Networking

BGP Hijacking Continues, Despite the Ability To Prevent It 57

Posted by Soulskill
from the won't-fix dept.
An anonymous reader writes: BGPMon reports on a recent route hijacking event by Syria. These events continue, despite the ability to detect and prevent improper route origination: Resource Public Key Infrastructure. RPKI is technology that allows an operator to validate the proper relationship between an IP prefix and an Autonomous System. That is, assuming you can collect the certificates. ARIN requires operators accept something called the Relying Party Agreement. But the provider community seems unhappy with the agreement, and is choosing not to implement it, just to avoid the RPA, leaving the the Internet as a whole less secure.
Businesses

Is Enterprise IT More Difficult To Manage Now Than Ever? 238

Posted by Soulskill
from the get-off-my-virtualized-lawn dept.
colinneagle writes: Who's old enough to remember when the best technology was found at work, while at home we got by with clunky home computers and pokey dial-up modems? Those days are gone, and they don't look like they're ever coming back.

Instead, today's IT department is scrambling to deliver technology offerings that won't get laughed at — or, just as bad, ignored — by a modern workforce raised on slick smartphones and consumer services powered by data centers far more powerful than the one their company uses. And those services work better and faster than the programs they offer, partly because consumers don't have to worry about all the constraints that IT does, from security and privacy to, you know, actually being profitable. Plus, while IT still has to maintain all the old desktop apps, it also needs to make sure mobile users can do whatever they need to from anywhere at any time.

And that's just the users. IT's issues with corporate peers and leaders may be even rockier. Between shadow IT and other Software-as-a-Service, estimates say that 1 in 5 technology operations dollars are now being spent outside the IT department, and many think that figure is actually much higher. New digital initiatives are increasingly being driven by marketing and other business functions, not by IT. Today's CMOs often outrank the CIO, whose role may be constrained to keeping the infrastructure running at the lowest possible cost instead of bringing strategic value to the organization. Hardly a recipe for success and influence.
United Kingdom

Computer Error Grounds Flights In the UK 68

Posted by Soulskill
from the tripping-over-the-power-cord dept.
Rambo Tribble writes: Reuters reports that flights from Heathrow, Gatwick, and many other airports have been shut down "due to a computer failure." The information comes from European air traffic control body Eurocontrol. No official word as yet as to the nature of the failure. "One source told the BBC the problem was caused by a computer glitch that co-ordinates the flights coming into London and puts the flights in sequence as they come into land or take off. He described it as a 'flight planning tool problem.'" Incoming flights are still being accommodated.
Yahoo!

"Lax" Crossdomain Policy Puts Yahoo Mail At Risk 49

Posted by samzenpus
from the protect-ya-neck dept.
msm1267 writes A researcher disclosed a problem with a loose cross-domain policy for Flash requests on Yahoo Mail that put email message content, contact information and much more at risk. The researcher said the weakness is relatively simple to exploit and puts users at high risk for data loss, identity theft, and more. Yahoo has patched one issue related to a specific .swf file hosted on Yahoo's content delivery network that contained a vulnerability that could give an attacker complete control over Yahoo Mail accounts cross origin. While the patch fixed this specific issue, the larger overall configuration issue remains, meaning that other vulnerable .swf files hosted outside the Yahoo CDN and on another Yahoo subdomain could be manipulated the same way.
Sony

Sony Reportedly Is Using Cyber-Attacks To Keep Leaked Files From Spreading 186

Posted by samzenpus
from the fight-fire-with-fire dept.
HughPickens.com writes Lily Hay Newman reports at Slate that Sony is counterhacking to keep its leaked files from spreading across torrent sites. According to Recode, Sony is using hundreds of computers in Asia to execute a denial of service attack on sites where its pilfered data is available, according to two people with direct knowledge of the matter. Sony used a similar approach in the early 2000s working with an anti-piracy firm called MediaDefender, when illegal file sharing exploded. The firm populated file-sharing networks with decoy files labeled with the names of such popular movies as "Spider-Man," to entice users to spend hours downloading an empty file. "Using counterattacks to contain leaks and deal with malicious hackers has been gaining legitimacy," writes Newman. "Some cybersecurity experts even feel that the Second Amendment can be interpreted as applying to 'cyber arms'."

In seeking the unattainable, simplicity only gets in the way. -- Epigrams in Programming, ACM SIGPLAN Sept. 1982

Working...